Solved: Re: How To Change Fix Field Value

dbray_sd · ‎02-12-2016

We are pulling in mysql_query events from a freeradius server however one of the field values has an or "|" in it, so Splunk is ignoring the correct next value. Here is the log entry:

acctinputoctets = '0'         << 32 |                                        '442929',                       acctoutputoctets =               '0' <<      32        | '7920416'

Splunk is pulling only the '0' for the values. We need it to ignore the: '0' << 32 |

How do we update the field values so that the correct value is indexed?

lguinn2 · ‎02-12-2016

Instead of using automatic field extraction, you will probably need to specify the fields. You can do this

props.conf

[yoursourcetype]
REPORT-fe=extract_fields

transforms.conf

[extract_fields]
FORMAT = $1::$2
REGEX = (\w+)\s*\=.*?\|\s*'(.*?)'

You may need to add

KV_MODE = none

to props.conf, but it would be better if you didn't need it.

View solution in original post

lguinn2 · ‎02-12-2016

Instead of using automatic field extraction, you will probably need to specify the fields. You can do this

props.conf

[yoursourcetype]
REPORT-fe=extract_fields

transforms.conf

[extract_fields]
FORMAT = $1::$2
REGEX = (\w+)\s*\=.*?\|\s*'(.*?)'

You may need to add

KV_MODE = none

to props.conf, but it would be better if you didn't need it.

somesoni2 · ‎02-12-2016

How are you ingesting data? using DB Connect OR file monitoring?? Looks like you got some prefix with field value, which you can correct before indexing (for new events only) OR use Field extraction to ignore in the field value.

dbray_sd · ‎02-15-2016

We are using the Splunk Universal Forwarder to pull in /var/log/mysql/mysql_query.log

How To Change Fix Field Value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!